feat: add CI workflow for linting#165
Conversation
|
Warning Review limit reached
Next review available in: 55 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughAdds a CI workflow for shellcheck, yamllint, and hadolint, adds lint configs, and adjusts Containerfile and shell scripts for cleaner package cleanup, quoting, and shellcheck compatibility. ChangesCI Linting and Shell Hardening
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
9656a04 to
a341d99
Compare
5a3f8a6 to
3221170
Compare
3221170 to
cdddfd1
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/ci.yml (1)
1-38: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd explicit least-privilege
permissionsand disable credential persistence.Static analysis flags default (unset)
permissionsand unsetpersist-credentialson all three checkout steps. Since these jobs only run linters and never need to write to the repo or persist git credentials, tightening this reduces the blast radius if a linter action is ever compromised.🔒 Proposed hardening
name: CI on: push: branches: [ main ] pull_request: branches: [ main ] +permissions: + contents: read + jobs: shellcheck: name: ShellCheck runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run ShellCheck run: shellcheck entrypoint.sh scripts/pt-manager.sh cli/claudio yaml-lint: name: YAML lint runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run yamllint run: yamllint -c .yamllint.yml .github/workflows/*.yml integrations/gitlab-ci/claudio.yml hadolint: name: Hadolint runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run hadolint uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: Containerfile🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 1 - 38, The CI workflow is relying on default GitHub token permissions and the checkout steps still persist credentials, which is broader than needed for lint-only jobs. Update the workflow jobs named shellcheck, yaml-lint, and hadolint to set explicit least-privilege permissions, and change each actions/checkout@v6 step to disable credential persistence. Keep the existing lint commands and job structure unchanged while tightening the security settings around checkout.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 1-38: The CI workflow is relying on default GitHub token
permissions and the checkout steps still persist credentials, which is broader
than needed for lint-only jobs. Update the workflow jobs named shellcheck,
yaml-lint, and hadolint to set explicit least-privilege permissions, and change
each actions/checkout@v6 step to disable credential persistence. Keep the
existing lint commands and job structure unchanged while tightening the security
settings around checkout.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 259ae236-5837-4608-b358-f71617156191
📒 Files selected for processing (6)
.github/workflows/ci.yml.hadolint.yaml.yamllint.ymlContainerfilecli/claudioentrypoint.sh
ddb2c2e to
0ab2144
Compare
0ab2144 to
71afa63
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (2)
.github/workflows/ci.yml (2)
14-14: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winSet
persist-credentials: falseon checkout steps.None of these lint jobs push or need the checked-out git credential afterward; leaving it persisted is unnecessary credential exposure risk flagged by zizmor (artipacked).
🔒 Suggested fix (apply to all three checkout steps)
- - uses: actions/checkout@v7 + - uses: actions/checkout@v7 + with: + persist-credentials: falseAlso applies to: 23-23, 37-37
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml at line 14, The checkout steps in the CI workflow are persisting git credentials unnecessarily, which creates avoidable exposure risk. Update each `actions/checkout` usage in the workflow to set `persist-credentials: false`, including the checkout step near the lint jobs and the other two checkout steps referenced in the review, so the jobs still fetch code without leaving credentials available afterward.Source: Linters/SAST tools
1-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd explicit least-privilege
permissions:block.No
permissions:block is set, so jobs default to the (potentially broad) repo-configuredGITHUB_TOKENpermissions. These jobs only run linters against checked-out code and don't need write access.🔒 Suggested fix
name: CI +permissions: + contents: read + on: push: branches: [ main ]🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 1 - 43, Add an explicit least-privilege permissions block to the CI workflow so the default GITHUB_TOKEN is not broader than needed. Update the workflow-level configuration in the CI file and set permissions for the ShellCheck, YAML lint, and Hadolint jobs to read-only access only, since these jobs only check out code and run linters. Use the existing job names and the top-level workflow structure to place the new permissions block cleanly.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Line 14: The checkout steps in the CI workflow are persisting git credentials
unnecessarily, which creates avoidable exposure risk. Update each
`actions/checkout` usage in the workflow to set `persist-credentials: false`,
including the checkout step near the lint jobs and the other two checkout steps
referenced in the review, so the jobs still fetch code without leaving
credentials available afterward.
- Around line 1-43: Add an explicit least-privilege permissions block to the CI
workflow so the default GITHUB_TOKEN is not broader than needed. Update the
workflow-level configuration in the CI file and set permissions for the
ShellCheck, YAML lint, and Hadolint jobs to read-only access only, since these
jobs only check out code and run linters. Use the existing job names and the
top-level workflow structure to place the new permissions block cleanly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: f7d308c5-f153-4117-88f3-e5b894c8c85e
📒 Files selected for processing (6)
.github/workflows/ci.yml.hadolint.yaml.yamllint.ymlContainerfilecli/claudioentrypoint.sh
✅ Files skipped from review due to trivial changes (4)
- .hadolint.yaml
- .yamllint.yml
- cli/claudio
- entrypoint.sh
🚧 Files skipped from review as they are similar to previous changes (1)
- Containerfile
AIPCC-16634 - Add CI workflow with ShellCheck, ruff, yamllint, and hadolint - Add yamllint config matching existing YAML conventions - Fix shellcheck warnings in cli/claudio and entrypoint.sh - Fix hadolint warnings in Containerfile (dnf clean all, pipefail) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Rishabh Kothari <rkothari@redhat.com>
71afa63 to
9215261
Compare
Summary
Adds a CI workflow that runs linting on PRs and pushes to main. Covers shell scripts (ShellCheck), YAML (yamllint), and the Containerfile (hadolint). Also fixes existing lint issues in entrypoint.sh, cli/claudio, and the Containerfile.
AIPCC-16634
Test plan
Co-Authored-By: Claude noreply@anthropic.com
Signed-off-by: Rishabh Kothari rkothari@redhat.com
Summary by CodeRabbit